AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Use --no-lazy --stress-lazy-source-positions when --fuzzing

Browse Source 
This will allow bugs such as crbug.com/1394403 to be found much easier
by fuzzers as it will cause d8 to compile every function twice and to
verify that the resulting bytecode is the same.

In order to not lose fuzzer coverage of e.g. lazy compilation, this CL
also adds --lazy and --no-stress-lazy-source-positions to the fuzzer
configurations to be chosen with a small probability.

Bug: chromium:1394403
Change-Id: I172ac483b45978a669c9787e5f851daa985fd1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096480
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84811}
This commit is contained in:
Samuel Groß 2022-12-13 12:17:50 +00:00 committed by V8 LUCI CQ
parent 689f0be089
commit 65f1501634
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/flags/flag-definitions.h
View File

@ -1979,6 +1979,12 @@ DEFINE_BOOL(
"Fuzzers use this flag to signal that they are ... fuzzing. This causes "
"intrinsics to fail silently (e.g. return undefined) on invalid usage.")
// When fuzzing, always compile functions twice and ensure that the generated
// bytecode is the same. This can help find bugs such as crbug.com/1394403 as it
// avoids the need for bytecode aging to kick in to trigger the recomplication.
DEFINE_WEAK_NEG_IMPLICATION(fuzzing, lazy)
DEFINE_WEAK_IMPLICATION(fuzzing, stress_lazy_source_positions)
#if defined(V8_OS_AIX) && defined(COMPONENT_BUILD)
// FreezeFlags relies on mprotect() method, which does not work by default on
// shared mem: https://www.ibm.com/docs/en/aix/7.2?topic=m-mprotect-subroutine

4
tools/clusterfuzz/trials/clusterfuzz_trials_config.json
View File

@ -37,5 +37,7 @@
{"app_args": "--stress-scavenge=100", "app_name": "d8", "probability": 0.05},
{"app_args": "--turbo-instruction-scheduling", "app_name": "d8", "probability": 0.1},
{"app_args": "--turbo-stress-instruction-scheduling", "app_name": "d8", "probability": 0.1},
{"app_args": "--stress-wasm-code-gc", "app_name": "d8", "probability": 0.1}
{"app_args": "--stress-wasm-code-gc", "app_name": "d8", "probability": 0.1},
{"app_args": "--lazy", "app_name": "d8", "probability": 0.1},
{"app_args": "--no-stress-lazy-source-positions", "app_name": "d8", "probability": 0.1}
]